Single Sign-On (SSO) allows users to authenticate into FMX using their existing Active Directory credentials. This reduces password management overhead and improves security by centralizing authentication.

FMX supports WS-Federation for organizations using on-premises Active Directory Federation Services (AD FS).

Important:
Organizations that do not use on-premises AD FS should instead configure SSO using Azure Active Directory (Microsoft Entra ID). This document applies only to on-prem AD FS environments.

Requirements

Before starting, confirm the following:

  • An active FMX site (example: https://yourcompany.gofmx.com)

  • On-premises Active Directory

  • AD FS 2.0 or later installed and operational

  • Administrative access to the AD FS Management console

Supported Protocol

  • WS-Federation

Step 1: Add FMX as a Relying Party Trust

  1. Log in to the AD FS server.

  2. Open AD FS Management.

  3. In the left navigation pane, expand Trust Relationships.

  4. Click Relying Party Trusts.

  5. In the right Actions pane, click Add Relying Party Trust….

Step 2: Add Relying Party Trust Wizard

  1. Select Claims aware and click Start.

  2. Choose Import data about the relying party published online or on a local network.

  3. Enter the following FMX federation metadata URL:

    https://yourcompany.gofmx.com/federationmetadata/2007-06/federationmetadata.xml

    Replace yourcompany with your FMX hostname.

  4. Click Next and proceed through the wizard.

  5. When prompted for access control, select:

    • Permit all users to access this relying party

  6. Check the option:

    • Open the Edit Claim Rules dialog for this relying party trust when the wizard closes

  7. Complete the wizard.

Step 3: Configure Claim Rules

FMX requires specific user attributes to be sent in the authentication token. These are configured as Transform Claim Rules.

Create a New Claim Rule

  1. In the Edit Claim Rules window, click Add Rule….

  2. Select Send LDAP Attributes as Claims.

  3. Click Next.

Configure LDAP Attribute Mapping

  • Attribute Store: Active Directory

Add the following mappings:

Name Identifier (Required)

  • LDAP Attribute: User-Principal-Name

  • Outgoing Claim Type:

    • Name ID

    • OR http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

Email Address (Required)

  • LDAP Attribute: E-Mail-Addresses

  • Outgoing Claim Type:

    • E-Mail Address

    • OR http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Given Name (Required)

  • LDAP Attribute: Given-Name

  • Outgoing Claim Type:

    • Given Name

    • OR http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Surname (Required)

  • LDAP Attribute: Surname

  • Outgoing Claim Type:

    • Surname

    • OR http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Telephone Number (Optional)

  • LDAP Attribute: Telephone-Number

  • Outgoing Claim Type:

    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone

  1. Click Finish.

  2. Click OK to save the claim rule.

Step 4: Complete the Integration with FMX

FMX must be able to retrieve your AD FS federation metadata to complete setup.

Federation Metadata URL

Your AD FS metadata is available at:

https://<your-ad-fs-server>/FederationMetadata/2007-06/FederationMetadata.xml

Provide Metadata to FMX

  • Recommended: Provide FMX with the publicly accessible metadata URL.

  • Alternative: If your AD FS server is internal-only, download the XML file and provide a copy to FMX Support.

Using a URL allows FMX to automatically detect certificate updates and prevents authentication interruptions.

Troubleshooting

Users Are Redirected to a Registration Page

Cause:
Required attributes (email, given name, or surname) are missing from the SSO assertion.

Resolution:

  • Verify all required claims are configured.

  • Confirm affected users have values populated in Active Directory.

Authentication Fails or Login Stops Working Suddenly

Cause:
The AD FS token-signing certificate has expired.

Resolution:

  • If FMX was provided a metadata URL, no action is usually required — FMX will automatically retrieve the updated certificate.

  • If FMX was provided a static metadata file, a new copy must be sent after certificate renewal.

Users Receive an Access Denied Error

Cause:

  • User does not meet AD FS access control rules

  • Relying party trust misconfiguration

Resolution:

  • Confirm Permit all users to access this relying party is selected

  • Review AD FS event logs for claim issuance errors

Need Help?

Once configuration is complete, contact FMX Support or your Customer Success Manager and provide your AD FS federation metadata URL or file to finalize setup.

Was this article helpful?

  • 0 out of 0 found this helpful